#VU67910 Improper Verification of Cryptographic Signature in Cosign - CVE-2022-36056

Cybersecurity Help s.r.o.

Published: 2022-10-04

Vulnerability identifier: #VU67910

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-36056

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cosign

Vendor: Sigstore

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper verification of signature when processing artifacts. A remote attacker can supply a specially crafted artifact and bypass the implemented blob verification process.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cosign: 0.1.0 - 1.11.1

External links
https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25
https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilitie sin Red Hat Advanced Cluster Security (RHACS)

SUSE update for cosign

Security restrictions bypass in Cosign